From 673878b2056caeeae7b119dc6845c6299a153c69 Mon Sep 17 00:00:00 2001
From: Francesco Colista <fcolista@alpinelinux.org>
Date: Thu, 14 Mar 2019 17:17:34 +0000
Subject: main/openjpeg: security fixes

        - CVE-2018-5785

        this commit fixes #10097
---
 main/openjpeg/APKBUILD            |  8 +++-
 main/openjpeg/CVE-2018-5785.patch | 79 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 main/openjpeg/CVE-2018-5785.patch

diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index 66ef7f5166..0403c5f0f8 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openjpeg
 pkgver=2.3.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Open-source implementation of JPEG2000 image codec"
 url="http://www.openjpeg.org/"
 arch="all"
@@ -14,6 +14,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v
 	CVE-2018-18088.patch
 	CVE-2018-14423.patch
 	CVE-2018-6616.patch
+	CVE-2018-5785.patch
 	"
 builddir="${srcdir}/$pkgname-$pkgver"
 
@@ -28,6 +29,8 @@ build() {
 }
 
 # secfixes:
+#   2.3.0-r2:
+#     - CVE-2018-5785
 #   2.3.0-r1:
 #     - CVE-2018-14423
 #     - CVE-2018-6616
@@ -62,4 +65,5 @@ sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520
 15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74  CVE-2017-17480.patch
 24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb  CVE-2018-18088.patch
 4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537  CVE-2018-14423.patch
-9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222  CVE-2018-6616.patch"
+9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222  CVE-2018-6616.patch
+ec48472de6c6d34abff949bbae1ae1e92e0b59939c13345a3a69c8219fdf91ea2c07dda59fe212a88212b3116cae1fb8c47aa5d12b84af669a28aa52864f55de  CVE-2018-5785.patch"
diff --git a/main/openjpeg/CVE-2018-5785.patch b/main/openjpeg/CVE-2018-5785.patch
new file mode 100644
index 0000000000..b93515ccd4
--- /dev/null
+++ b/main/openjpeg/CVE-2018-5785.patch
@@ -0,0 +1,79 @@
+From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sat, 22 Sep 2018 14:33:19 -0400
+Subject: [PATCH] convertbmp: fix issues with zero bitmasks
+
+In the case where a BMP file declares compression 3 (BI_BITFIELDS)
+with header size <= 56, all bitmask values keep their initialization
+value 0. This may lead to various undefined behavior later e.g. when
+doing 1 << (l_comp->prec - 1).
+
+This issue does not affect files with bit count 16 because of a check
+added in 16240e2 which sets default values to the color masks if they
+are all 0.
+
+This commit adds similar checks for the 32 bit case.
+
+Also, if a BMP file declares compression 3 with header size >= 56 and
+intentional 0 bitmasks, the same issue will be triggered in both the
+16 and 32 bit count case.
+
+This commit adds checks to bmp_read_info_header() rejecting BMP files
+with "intentional" 0 bitmasks. These checks might be removed in the
+future when proper handling of zero bitmasks will be available in
+openjpeg2.
+
+fixes #1057 (CVE-2018-5785)
+---
+ src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 084f70bb7..7fde99ab3 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biRedMask) {
++            fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
++            return OPJ_FALSE;
++        }
++
+         header->biGreenMask  = (OPJ_UINT32)getc(IN);
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biGreenMask) {
++            fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
++            return OPJ_FALSE;
++        }
++
+         header->biBlueMask  = (OPJ_UINT32)getc(IN);
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
+         header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+ 
++        if (!header->biBlueMask) {
++            fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
++            return OPJ_FALSE;
++        }
++
+         header->biAlphaMask  = (OPJ_UINT32)getc(IN);
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
+         header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
+@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters)
+         bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
+                          0x00000000U);
+     } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
++        if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
++                (Info_h.biBlueMask == 0U)) {
++            Info_h.biRedMask   = 0x00FF0000U;
++            Info_h.biGreenMask = 0x0000FF00U;
++            Info_h.biBlueMask  = 0x000000FFU;
++        }
+         bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
+                          Info_h.biBlueMask, Info_h.biAlphaMask);
+     } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
-- 
cgit v1.2.3